IPv6 Network Mobility

Network Authentication, Authorization, and Accounting has been used since before the days of the Internet as we know it today. Authentication asks the question, “Who or what are you?” Authorization asks, “What are you allowed to do?” And fi nally, accounting wants to know, “What did you do?” These fundamental security building blocks are being used in expanded ways today. The fi rst part of this two-part series focused on the overall concepts of AAA, the elements involved in AAA communications, and highlevel approaches to achieving specifi c AAA goals. It was published in IPJ Volume 10, No. 1[0]. This second part of the series discusses the protocols involved, specifi c applications of AAA, and considerations for the future of AAA

A Security-aware Approach to JXTA-Overlay Primitives

The JXTA-Overlay project is an effort to use JXTA technology to provide a generic set of functionalities that can be used by developers to deploy P2P applications. Since its design mainly focuses on issues such as scalability or overall performance, it does not take security into account. However, as P2P applications have evolved to fulfill more complex scenarios, security has become a very important aspect to take into account when evaluating a P2P framework. This work proposes a security extension specifically suited to JXTA-Overlay¿s idiosyncrasies, providing an acceptable solution to some of its current shortcomings.El proyecto JXTA-Overlay es un esfuerzo por utilizar la tecnología JXTA para proporcionar un conjunto genérico de funciones que pueden ser utilizadas por los desarrolladores para desplegar aplicaciones P2P. Aunque su diseño se centra principalmente en cuestiones como la escalabilidad y el rendimiento general, no tiene en cuenta la seguridad. Sin embargo, como las aplicaciones P2P se han desarrollado para cumplir con escenarios más complejos, la seguridad se ha convertido en un aspecto muy importante a tener en cuenta a la hora de evaluar un marco P2P. Este artículo propone una extensión de seguridad específicamente adaptada a la idiosincrasia de JXTA-Overlay, proporcionando una solución aceptable para algunas de sus deficiencias actuales.El projecte JXTA-Overlay és un esforç per utilitzar la tecnologia JXTA per proporcionar un conjunt genèric de funcions que poden ser utilitzades pels desenvolupadors per desplegar aplicacions P2P. Tot i que el seu disseny se centra principalment en qüestions com ara la escalabilitat i el rendiment general, no té en compte la seguretat. No obstant això, com que les aplicacions P2P s'han desenvolupat per complir amb escenaris més complexos, la seguretat s'ha convertit en un aspecte molt important a tenir en compte a l'hora d'avaluar un marc P2P. Aquest article proposa una extensió de seguretat específicament adaptada a la idiosincràsia de JXTA-Overlay, proporcionant una solució acceptable per a algunes de les seves deficiències actuals

A Security Framework for JXTA-Overlay

En l'actualitat, la maduresa del camp de la investigació P2P empès a través de nous problemes, relacionats amb la seguretat. Per aquesta raó, la seguretat comença a convertir-se en una de les qüestions clau en l'avaluació d'un sistema P2P, i és important proporcionar mecanismes de seguretat per a sistemes P2P. El projecte JXTAOverlay fa un esforç per utilitzar la tecnologia JXTA per proporcionar un conjunt genèric de funcions que poden ser utilitzades pels desenvolupadors per desplegar aplicacions P2P. No obstant això, encara que el seu disseny es va centrar en qüestions com ara l'escalabilitat o el rendiment general, no va tenir en compte la seguretat. Aquest treball proposa un marc de seguretat, adaptat específicament a la idiosincràsia del JXTAOverlay.At present time, the maturity of P2P research field has pushed through new problems such us those related with security. For that reason, security starts to become one of the key issues when evaluating a P2P system and it is important to provide security mechanisms to P2P systems. The JXTAOverlay project is an effort to use JXTA technology to provide a generic set of functionalities that can be used by developers to deploy P2P applications. However, since its design focused on issues such as scalability or overall performance, it did not take security into account. This work proposes a security framework specifically suited to JXTAOverlay¿s idiosyncrasies.En la actualidad, la madurez del campo de la investigación P2P empujado a través de nuevos problemas, relacionados con la seguridad. Por esta razón, la seguridad comienza a convertirse en una de las cuestiones clave en la evaluación de un sistema P2P, y es importante proporcionar mecanismos de seguridad para sistemas P2P. El proyecto JXTAOverlay hace un esfuerzo por utilizar la tecnología JXTA para proporcionar un conjunto genérico de funciones que pueden ser utilizadas por los desarrolladores para desplegar aplicaciones P2P. Sin embargo, aunque su diseño se centró en cuestiones como la escalabilidad o el rendimiento general, no tuvo en cuenta la seguridad. Este trabajo propone un marco de seguridad, adaptado específicamente a la idiosincrasia del JXTAOverlay

Flexible and Scalable Public Key Security for SSH

A standard tool for secure remote access, the SSH protocol uses public-key cryptography to establish an encrypted and integrity-protected channel with a remote server. However, widely-deployed implementations of the protocol are vulnerable to man-in-the-middle attacks, where an adversary substitutes her public key for the server\u27s. This danger particularly threatens a traveling user Bob borrowing a client machine. Imposing a traditional X.509 PKI on all SSH servers and clients is neither flexible nor scalable nor (in the foreseeable future) practical. Requiring extensive work or an SSL server at Bob\u27s site is also not practical for many users. This paper presents our experiences designing and implementing an alternative scheme that solves the public-key security problem in SSH without requiring such an a priori universal trust structure or extensive sysadmin work--although it does require a modified SSH client. (The code is available for public download.

Federated identity architecture of the european eID system

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in midterm also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments

Important Lessons Derived from X.500 Case Studies

X.500 is a new and complex electronic directory technology, whose basic specification was first published as an international standard in 1988, with an enhanced revision in 1993. The technology is still unproven in many organisations. This paper presents case studies of 15 pioneering pilot and operational X.500 based directory services. The paper provides valuable insights into how organisations are coming to understand this new technology, are using X.500 for both traditional and novel directory based services, and consequently are deriving benefits from it. Important lessons that have been learnt by these X.500 pioneers are presented here, so that future organisations can benefit from their experiences. Factors critical to the success of implementing X.500 in an organisation are derived from the studies

UXP Portal 2.0 Functional Requirements Specification

Cybernetica on välja töötanud toote Unified eXchange Platform (UXP), pakkumaks turvalist ja töökindlat organisatsioonidevahelist andmevahetuskihti. UXP Portal on universaalne klientrakendus üle UXP platvormi pakutavate teenuste tarbimiseks. UXP Portal’i esimese versiooni põhjal tehtud järeldused viisid vajaduseni arendada välja versioon 2.0.Käesolev bakalaureusetöö kirjeldab UXP Portal 2.0 arendusprotsessi käigusvalminud äriprotsesside modelleerimise ja funktsionaalsete nõuete spetsifitseerimise tööprotsessi ja tulemusi. Projekti tarkvaraarendusprotsessi aluseks on Rational Unified Process (RUP). Projekti raames valminud skeemid järgivad unifitseeritud modelleerimiskeele (UML) põhimõtteid. Nii talitluse kui ka süsteemi käitumise kirjeldamiseks on kasutatud kasutusmallimudeleid. Valminud kasutusmallimudelid on sisendiks arendusprotsessi järgnevatele tööülesannetele.Nõuete spetsifitseerimise muutis keeruliseks tõsiasi, et UXP Portalit arendatakse ettevõtte oma tootena ehk puudub konkreetne klient, kellega koostöös nõudeid välja selgitada. Sellest hoolimata võib välise interaktsioonidisaineriga toimunud koostöö põhjal hinnata, et funktsionaalsete nõuete spetsifikatsioon oli piisava detailsusastmega koostöö alustamiseks.Cybernetica has developed the Unified eXchange Platform (UXP) — an interoperability platform designed to serve as a secure and reliable data exchange infrastructure.UXP Portal is a component that serves as a universal client applicationfor accessing services over UXP infrastructure. Experience with the initial version of UXP Portal led to the development of version 2.0.This Thesis describes the process and the outputs of business process modelingand functional requirements specification for the development of UXP Portal 2.0.The development process is based on the Rational Unified Process (RUP). Themodels were created using Unified Modeling Language (UML) notation. Use-Case Models were developed for both the business and system level domains. The Use- Case Models will serve as an input for the implementation tasks.The requirements specification process was complicated by the fact that UXPPortal is developed as a product that has no direct customer to elicit requirements from. However, the requirements specification described in this Thesis proved to be sufficient for designing a user interface prototype in cooperation with an external interaction designer

Mobile identification as a service

Dissertação de mestrado integrado em Informatics EngineeringThe benefits of using mobile identification applications as substitutes for physical documents are obvious, whether these are university student cards, company employee identification cards, the citizen card or driving license. However, as these applications grow in popularity and complexity, new requirements and needs arise that need to be addressed without disturbing the normal behavior of the application. Often the data needed to provide an authentication service is spread across multiple servers, which need to be integrated. This becomes more complicated and complex when an application provides more than one form of authentication (a driving license and a student card require data provided by different services). In this dissertation we are going to look for solutions that allow to develop an architecture that is prepared to integrate new services at runtime and allows the management of the system, maintaining its dynamic and independence from third parties, regardless of the technology and form of communication used by them. So, this dissertation presents the state of the art regarding the integration of multiple service providers and the design and implementation a proposed solution, using the WSO2 products to do so. This process is performed in the context of the mobile ID, that is a implementation of a mobile driving license based on the ISO/IEC 18013-5:2021.São cada vez mais evidentes os benefícios do uso de aplicações de identificação móvel como substitutos aos documentos físicos, sejam estes cartões de estudantes universitários, cartões de identificação de funcionários de empresas, o cartão de cidadão ou a carta de condução. No entanto, à medida que estas aplicações se tornam mais populares e mais complexas, surgem novas ex igências e necessidades que precisam de ser colmatadas sem perturbar o normal funcionamento da aplicação. Muitas vezes os atributos necessários para fornecer um serviço de identificação encontram-se distribuídos por múltiplos servidores, que necessitam de ser integrados. Isto torna-se mais complicado e complexo quando uma aplicação disponibiliza mais de uma forma de identificação (uma carta de condução e um cartão de estudante requerem dados fornecidos por multiplos e diferentes serviços). Nesta dissertação vamos procurar soluções que permitam desenvolver uma arquitetura que esteja preparada para integrar novos serviços em runtime e permitir toda a gestão do sistema, mantendo a aplicação dinâmica e independente de entidades terceiras, independentemente da tecnologia e forma de comunicação usada pelo serviço. Assim, nesta dissertação é apresentado o estado da arte relativamente à integração de múltiplos fornece dores de serviço e o design e implementação da solução proposta, utilizando os produtos do WSO2 para fazê lo. Todo este processo é realizado no contexto do mobile ID, que é uma implementação da carta de condução digital baseada na ISO/IEC 18013-5:2021